Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Reverse Engineering Dojo: Enhancing Assembly Reading Skills NTT Secure Platform Laboratories SECCON / CTF for GIRLS Asuka ...
#whoami (2020)  Asuka Nakajima Security Researcher at NTT Secure Platform Laboratories Vulnerability Discovery / Reverse ...
Today’s Lecture Malware Analysis Topic: Reverse Engineering Vulnerability Analysis CTF Goal: Enhance Assembly Reading Skil...
Over 10 pages of assembly code! Text book of “Security Camp” (Advanced Information Security Summer School in Japan)
Schedule [Lecture] x86 Assembly Basics 20 min [Exercise] Read x86 Assembly Code 100 min Break 10 min [Lecture + Exercise] ...
x86 Assembly Basics 20min
mov ecx, 0xA push 0x0 pop eax x86 Assembly
mov ecx, 0xA push 0x0 pop eax Instruction(opcode) operand x86 Assembly
mov ecx, 0xA push 0x0 pop eax Register x86 Assembly
Memory that is built into the CPU ・General Purpose Register -eax, ebx , ecx, edx, esp, ebp, esi, edi Register ・Segment Reg...
EAX AH AL AX ESI EDI ESP EBP EIP EFLAGS EBX BH BL BX ECX CH CL CX EDX DH DL DX 4byte 2byte 1byte
mov ecx, 0xA push 0x0 pop eax Stack manipulation instructions x86 Assembly
Region of memory where data is added or removed in a last-in-first out manner push × 3 Data1 Data2 Data3 Data1 pop × 2 Sta...
Stack “grows” towards the lower address Data1 Data2 Data3 Address 0xbffffc30 Stack 0xbffffc38 0xbffffc34 Region of memory ...
Example 1 Example 2(gcc) ■ Function Call function(1, 2, 3); push 0x3 push 0x2 push 0x1 call function add esp, 0xc ・Argumen...
Function Call (Calling Convention) stdcall thiscall fastcall - Standard calling convention for the Win32API - Passes first...
Collection of all data on the stack associated with one function call Function1 Function2 Function3 Stack Function3 Stack ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; ...
mov Copy the value of src operand to dst operand push Stores a value onto the top of the stack pop Loads a value from the ...
Exercise 100min
Exercise Exercise # Topic 1~5 Variable 6~15 Control Flow Statement 16~20 Arithmetic Operation 21~26 Bitwise Operation 27~2...
Exercise $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04 LTS Release: 14.0...
Example 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: mov eax,0x0 80483f5: pop ebp 80483f6: ret 零. 0.bin
Answer int main(){ return 0; } 零. 0.c
Variable 5min
Variable 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0...
Variable 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov BYTE PTR [ebp-0x1],0x...
Variable 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov WORD PTR [ebp-0x2],0x...
Variable 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x8],0...
Variable 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0...
Variable 1 Answer int main(void){ int n = 10; return 0; } 一. 1.c
Variable 2 Answer int main(void){ char n = 'A'; return 0; } 二. 2.c
Variable 3 Answer int main(void){ short int n = 10; return 0; } 三. 3.c
Variable 4 Answer int main(void){ int i = 10; int *n; n = &i; return 0; } 四. 4.c
Variable 5 Answer int n1 = 100; int main(){ int n2 = 0; n2 = n1; return 0; } 五. 5.c
■ Bit / Byte ■ Byte / Word / Double word / Quad word ・ Bit 1 1・ Byte 0010101 ・ Byte A ・ Word B A ・ DWord D C B A Data type...
Control Flow Statements 20min
Control Flow Statements 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD ...
Control Flow Statements 1 Answer int main(){ int n = 10; if(n < 100){ return 0; } return 0; } 六. 6.c
Control Flow Statements 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD ...
Control Flow Statements 2 Answer int main(){ int n = 10; if(n < 100){ if(n > 50){ return 0; } } return 0; } 七. 7.c
Control Flow Statements 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD ...
Control Flow Statements 3 Answer int main(){ int n = 10; int flag; if(n < 100){ flag = 1; }else{ flag = 0; } return 0; } 八...
Control Flow Statements 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD ...
Control Flow Statements 4 Answer int main(){ int n = 1; char c; switch(n){ case 1: c = 'A'; break; case 2: c = 'B'; break;...
Control Flow Statements 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD ...
Control Flow Statements 5 Answer int main(){ int i; int sum = 0; for(i = 0; i < 10; i++){ sum += i; } return 0; } 十. 10.c
Control Flow Statements 6 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD ...
Control Flow Statements 6 Answer int main(){ int i = 0; int sum = 0; while(i < 10){ sum += i; i++; } return 0; } 十一. 11.c
Control Flow Statements 7 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD ...
Control Flow Statements 7 Answer int main(){ int n = 0; do{ n++; }while(n < 100); return 0; } 十二. 12.c
Control Flow Statements 8 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD ...
Control Flow Statements 8 Answer int main(){ int i,j; int sum = 0; for(i = 0; i < 10; i++){ for(j = 0; j < 10; j++){ } sum...
Control Flow Statements 9 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD ...
Control Flow Statements 9 Answer int main(){ int n = 10; if(n == 1){ goto label1; }else if(n == 2){ goto label2; } label1:...
Control Flow Statements 10 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD...
Control Flow Statements 10 Answer int main(){ int n = 0; while(n < 100){ if(n > 100){ continue; } n++; } return 0; } 十五. 1...
Arithmetic operation 5min
Arithmetic Operation 1 080483ed <main>: 80483ed:push ebp 80483ee:mov ebp,esp 80483f0:sub esp,0xc 80483f3:mov DWORD PTR [eb...
Arithmetic Operation 1 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 + n2; return 0; } 16.c 十六.
Arithmetic Operation 2 080483ed <main>: 80483ed:push ebp 80483ee:mov ebp,esp 80483f0:sub esp,0xc 80483f3:mov DWORD PTR [eb...
Arithmetic Operation 2 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 - n2; return 0; } 17.c 十七.
Arithmetic Operation 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR...
Arithmetic Operation 3 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 * n2; return 0; } 18.c 十八.
Arithmetic Operation 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR...
Arithmetic Operation 4 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 / n2; return 0; } 19.c 十九.
Arithmetic Operation 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR...
Arithmetic Operation 5 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 % n2; return 0; } 20.c 二十.
Bitwise operation 5min
Bitwise Operation 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [e...
Bitwise Operation 1 Answer int main(){ int n = 4; int result = 0; result = n & 1; return 0; } 21.c 二十一.
Bitwise Operation 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [e...
Bitwise Operation 2 Answer int main(){ int n = 4; int result = 0; result = n | 1; return 0; } 22.c 二十二.
Bitwise Operation 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [e...
Bitwise Operation 3 Answer int main(){ int n = 4; int result = 0; result = n ^ 0xFF; return 0; } 23.c 二十三.
Bitwise Operation 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [e...
Bitwise Operation 4 Answer int main(){ int n = 4; int result = 0; result = ~n; return 0; } 24.c 二十四.
Bitwise Operation 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [e...
Bitwise Operation 5 Answer int main(void){ int n = 10; n = n >> 1; return 0; } 25.c 二十五.
Bitwise Operation 6 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [e...
Bitwise Operation 6 Answer int main(void){ int n = 10; n = n << 1; return 0; } 26.c 二十六.
Function Call 10min
Function Call 1 0804841d <main>: 804841d: push ebp 804841e: mov ebp,esp 8048420: sub esp,0xc 8048423: mov DWORD PTR [ebp-0...
Function Call 1 Answer #include <stdio.h> int main(){ int year = 2016; printf("Year = %d", year); return 0; } 27.c 二十七.
Function Call 2 080483ed <myfunc>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: mov eax,DWORD PTR [ebp+0xc] 80483f3: mo...
Function Call 2 Answer int myfunc(int n1, int n2){ return n1+n2; } int main(){ int sum; sum = myfunc(5,5); return 0; } 28....
Function Call 3 080483ed <myfunc>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: mov eax,DWORD PTR [ebp+0xc] 80483f3: mo...
Function Call 3 Answer int myfunc(int n1, int n2){ return n1+n2; } int main(void){ int sum; int (*p_func)(int,int); p_func...
Type conversion 5min
Type Conversion 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov WORD PTR [ebp-...
Type Conversion 1 Answer int main(){ short int n1 = 1; int n2; n2 = (int)n1; return 0; } 30.c 三十.
Type Conversion 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp...
Type Conversion 2 Answer int main(){ int n1 = 10; short int n2; n2 = (short int)n1; return 0; } 31.c 三十一.
Various Data Type 20min
Data Type 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: and esp,0xfffffff8 80483f3: sub esp,0x8 80483...
Data Type 1 Answer int main(){ double n = 10.1; return 0; } 32.c 三十二.
Data Type 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x2c 80483f3: mov DWORD PTR [ebp-0x4]...
Data Type 2 Answer int main(){ int array[10]; int i; for(i = 0; i < 10; i++){ array[i] = i; } return 0; } 33.c 三十三.
Data Type 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x198 80483f6: mov DWORD PTR [ebp-0x4...
Data Type 3 Answer int main(){ int array[10][10]; int i,j; for(i = 0; i < 10; i++){ for(j = 0; j < 10; j++){ array[i][j] =...
Data Type 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0x8],...
Data Type 4 Answer int main(){ int n; int *p_n; int **pp_n; n = 10; p_n = &n; pp_n = &p_n; return 0; } 35.c 三十五.
Data Type 5 0804841d <myfunc>: 804841d: push ebp 804841e: mov ebp,esp 8048420: sub esp,0x8 8048423: mov eax,DWORD PTR [ebp...
Data Type 5 Answer #include <stdio.h> struct student{ int year; int id; }; void myfunc(struct student n){ printf("id=%dn",...
Data Type 6 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: movzx eax,BYTE PTR [ebp-...
Data Type 6 Answer struct flag{ unsigned int up:1; unsigned int on:1; }; int main(void){ struct flag f; f.up = 0; f.on = 1...
Data Type 7 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],...
Data Type 7 Answer union Student{ int year; int id; }; int main(void){ union Student data; data.year = 2016; data.id = 1; ...
Data Type 8 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0xc],...
Data Type 8 Answer enum Alpha { A, B, C }; int main() { int a = A; int b = B; int c = C; return 0; } 39.c 三十九.
signed or unsigned 10min
Signed or Unsigned 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [...
Signed or Unsigned 1 Answer int main(){ int n = -1; return 0; } 40.c 四十.
Signed or Unsigned 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov WORD PTR [e...
Signed or Unsigned 2 Answer int main(){ unsigned short int n1 = 1; unsigned short int result; int n2; n2 = (int)n1; result...
Signed or Unsigned 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov WORD PTR [e...
Signed or Unsigned 3 Answer int main(){ short int n1 = 1; short int result; int n2; n2 = (int)n1; result = n1 / n1; if(n1 ...
String Operation 10min
String Operation 1 0804841d <main>: 804841d: push ebp 804841e: mov ebp,esp 8048420: sub esp,0x10 8048423: mov DWORD PTR [e...
String Operation 1 Answer #include <stdio.h> int main(){ char name[] = "Alice"; printf("name = %s n", name); return 0; } 4...
String Operation 2 08048320 <main>: 8048320: push edi 8048321: mov eax,0x65 8048326: push esi 8048327: mov edi,0x8048500 8...
String Operation 2 Answer int strcmp_func(char *str){ if(strcmp(str,"Alice") == 0){ return 1; } return 0; } int main(){ ch...
Break 10min
C++ RE Basics 35min
C++ RE (Background) Most modern application use C++ Internet Explorer, Firefox, etc Some malwares are implemented by C++ C...
Characteristics of C++ binary Calling Convention(thiscall) Mangling Object(Creation/Deletion) Vtable RTTI(RunTimeType Iden...
About the C++ Binary Microsoft(R) C/C++ Optimizing Compiler Version 17.00.50727.1 for x86 Compiler(MSVC) Compiler Option c...
Class 1 (Local)一. class Cat{ public: int age; void meow(); }; void Cat::meow(){ printf("meow!"); } int main(){ Cat foo; fo...
Class 1 (Local) 1.exe .text:00401040 ; int __cdecl main() .text:00401040 _main proc near ; CODE XREF: _main_0j .text:00401...
https://en.wikipedia.org/wiki/Name_mangling#C.2B.2B
Class 1 (Local/meow) 1.exe .text:00401020 ; void __thiscall Cat::meow(Cat *this) .text:00401020 ?meow@Cat@@QAEXXZ proc nea...
Class 2 (Global) class Cat{ public: int age; void meow(); }; void Cat::meow(){ printf("meow!"); } Cat foo; int main(){ foo...
Class 2 (Global) .text:00401040 ; int __cdecl main() .text:00401040 _main proc near; CODE XREF: _main_0j .text:00401040 pu...
Class 3 (new/delete) class Cat{ public: int age; void meow(); }; void Cat::meow(){ printf("meow!"); } int main(){ Cat *foo...
Class 3 (new) .text:00401040 _main proc near ; CODE XREF: _main_0j .text:00401040 .text:00401040 p = dword ptr -0Ch .text:...
Class 3 (delete) .text:0040106A mov edx, [ebp+foo] .text:0040106D mov [ebp+p], edx .text:00401070 mov eax, [ebp+p] .text:0...
Class 4 (Constructor/Destructor) class Cat{ public: int age; Cat(); ~Cat(); void meow(); }; Cat::Cat(){ printf("hi"); } Ca...
Class 4 (Constructor) .text:00401030 ; void __thiscall Cat::Cat(Cat *this) .text:00401030 ??0Cat@@QAE@XZ proc near ;CODE X...
Class 4 (Destructor) .text:00401050 ; void __thiscall Cat::~Cat(Cat *this) .text:00401050 ??1Cat@@QAE@XZ proc near ;CODE X...
Class 4 (Constructor Call/Main) .text:00401090 push ebp .text:00401091 mov ebp, esp .text:00401093 push 0FFFFFFFFh .text:0...
Class 4 (Destructor Call/Main) .text:004010E4 mov edx, [ebp+foo] .text:004010E7 mov [ebp+var_14], edx .text:004010EA mov e...
Class 4 (Inside Helper Func) .text:00401150 push ebp .text:00401151 mov ebp, esp .text:00401153 push ecx .text:00401154 mo...
Class 5 (Encapsulation) class Cat{ public: void meow(); private: int age; void meowmeow(int n); }; void Cat::meowmeow(int ...
Class 5 (Meow Func) .text:00401030 ; void __thiscall Cat::meow(Cat *this) .text:00401030 ?meow@Cat@@QAEXXZ proc near ;CODE...
Class 6 (Inheritance) class Cat{ public: int age; Cat(); ~Cat(); void meow(); }; Cat::Cat(){ printf("hi"); } Cat::~Cat(){ ...
Class 6 (Inheritance) .text:00401110 ; void __thiscall Kitty::Kitty(Kitty *this) .text:00401110 ??0Kitty@@QAE@XZ proc near...
Class 6 (Inheritance/MainFunc) lea ecx, [ebp+foo] ; this call j_??0Kitty@@QAE@XZ ; Kitty::Kitty mov [ebp+foo.baseclass_0.a...
Class 7 (Virtual Function) class Cat{ public: int age; virtual void meow(); virtual void meowmeow(); }; void Cat::meow(){ ...
Class 7 (virtual func) .text:004010F0 ; void __thiscall Cat::Cat(Cat *this) .text:004010F0 ??0Cat@@QAE@XZ proc near ; CODE...
Class 7 (vtable) 7.exe 七. Array of function pointer which is declared as a virtual func Object Vtable Pointer Vtable Point...
Q&A
Nächste SlideShare
Wird geladen in …5
×
Ingenieurwesen
1.663 Aufrufe
1. Jun 2020

Reverse Engineering Dojo: Enhancing Assembly Reading Skills

Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/

台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。

no profile picture user

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Mehr anzeigen

Reverse Engineering Dojo: Enhancing Assembly Reading Skills

  1. 1. Reverse Engineering Dojo: Enhancing Assembly Reading Skills NTT Secure Platform Laboratories SECCON / CTF for GIRLS Asuka Nakajima 逆向工程道場
  2. 2. #whoami (2020)  Asuka Nakajima Security Researcher at NTT Secure Platform Laboratories Vulnerability Discovery / Reverse Engineering / IoT Security  Founder of “CTF for GIRLS” First female infosec community in Japan (est.2014)  Black Hat Asia Review Board From 2018-Present  Veteran Conferences / Events Speaker BlackHatUSA 2019, BlackHat EU 2019, AsiaCCS 2019, ROOTCON 2019, AIS3 2016/2018, PHDays IV, etc
  3. 3. Today’s Lecture Malware Analysis Topic: Reverse Engineering Vulnerability Analysis CTF Goal: Enhance Assembly Reading Skills Read & Read & Read x86 assembly code Ultimate goal: “Human Decompiler” There is no shortcut way to become good RE.
  4. 4. Over 10 pages of assembly code! Text book of “Security Camp” (Advanced Information Security Summer School in Japan)
  5. 5. Schedule [Lecture] x86 Assembly Basics 20 min [Exercise] Read x86 Assembly Code 100 min Break 10 min [Lecture + Exercise] C++ RE Basics 35 min Q&A 5 min
  6. 6. x86 Assembly Basics 20min
  7. 7. mov ecx, 0xA push 0x0 pop eax x86 Assembly
  8. 8. mov ecx, 0xA push 0x0 pop eax Instruction(opcode) operand x86 Assembly
  9. 9. mov ecx, 0xA push 0x0 pop eax Register x86 Assembly
  10. 10. Memory that is built into the CPU ・General Purpose Register -eax, ebx , ecx, edx, esp, ebp, esi, edi Register ・Segment Register -ss, cs, ds, es, fs, gs ・EFLAGS ・EIP ・SSE,MMX,FPU,debug
  11. 11. EAX AH AL AX ESI EDI ESP EBP EIP EFLAGS EBX BH BL BX ECX CH CL CX EDX DH DL DX 4byte 2byte 1byte
  12. 12. mov ecx, 0xA push 0x0 pop eax Stack manipulation instructions x86 Assembly
  13. 13. Region of memory where data is added or removed in a last-in-first out manner push × 3 Data1 Data2 Data3 Data1 pop × 2 Stack
  14. 14. Stack “grows” towards the lower address Data1 Data2 Data3 Address 0xbffffc30 Stack 0xbffffc38 0xbffffc34 Region of memory where data is added or removed in a last-in-first out manner Stack
  15. 15. Example 1 Example 2(gcc) ■ Function Call function(1, 2, 3); push 0x3 push 0x2 push 0x1 call function add esp, 0xc ・Arguments are pushed onto the stack in right-to-left order ・Caller cleans the stack mov DWORD PTR[esp+0x8], 0x3 mov DWORD PTR[esp+0x4], 0x2 mov DWORD PTR[esp], 0x1 call function 3 2 1 Stack Function Call (Calling Convention[cdecl])
  16. 16. Function Call (Calling Convention) stdcall thiscall fastcall - Standard calling convention for the Win32API - Passes first two argument to ecx and edx(msvc) - Callee cleans the stack(msvc) - “this pointer” is passed to ecx as an argument(msvc) - Callee cleans the stack(msvc)/Caller cleans the stack(gcc) - Callee cleans the stack(msvc)
  17. 17. Collection of all data on the stack associated with one function call Function1 Function2 Function3 Stack Function3 Stack Frame Function2 Stack Frame Function1 Stack Frame Base Pointer ebp Stack Pointer esp Stack Frame
  18. 18. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } Collection of all data on the stack associated with one function call Stack Frame
  19. 19. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } Collection of all data on the stack associated with one function call Stack Frame
  20. 20. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 Collection of all data on the stack associated with one function call Stack Frame
  21. 21. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Collection of all data on the stack associated with one function call Stack Frame
  22. 22. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Return Address Collection of all data on the stack associated with one function call Stack Frame
  23. 23. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Return Address Saved BP(Main) Collection of all data on the stack associated with one function call Stack Frame
  24. 24. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Return Address Saved BP(Main) Base Pointer ebp Collection of all data on the stack associated with one function call Stack Frame
  25. 25. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Return Address Saved BP(Main) sum=3 Collection of all data on the stack associated with one function call Stack Frame
  26. 26. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Return Address Saved BP(Main) sum=3 Restore the BP (& Stack Pointer) Collection of all data on the stack associated with one function call Stack Frame
  27. 27. int main(){ add(1,2); return 0; } Stack Caller Function Callee Function void add(int n1, int n2){ int sum; sum = n1 + n2; } 2 1 Return Address Saved BP(Main) sum=3 Return to Caller Funcion(Main)by using Return Address Collection of all data on the stack associated with one function call Stack Frame
  28. 28. mov Copy the value of src operand to dst operand push Stores a value onto the top of the stack pop Loads a value from the top of the stack call Call the function(ex. call MessageBoxA) cmp Compare the value of src operand and dst operand jmp(je, jg, jle) Go to designated address(jmp is unconditional jump) je:jump if equal, jg:jump if greater, jle:jump if less or equal ret Return to called function leave Same as “mov esp, ebp”→”pop ebp” add Addition sub Subtraction Instructions
  29. 29. Exercise 100min
  30. 30. Exercise Exercise # Topic 1~5 Variable 6~15 Control Flow Statement 16~20 Arithmetic Operation 21~26 Bitwise Operation 27~29 Function Call 30~31 Type Conversion 32~39 Various Data Types 40~42 Signed or Unsigned 43~44 String Operation
  31. 31. Exercise $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04 LTS Release: 14.04 Codename: trusty $ gcc --version gcc (Ubuntu 4.8.4-2ubuntu1~14.04) 4.8.4 gcc -O0 -mpreferred-stack-boundary=2 ex.c –o ex objdump -d -M intel --no-show-raw-insn ex Compiler Compiler Option Disassembler
  32. 32. Example 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: mov eax,0x0 80483f5: pop ebp 80483f6: ret 零. 0.bin
  33. 33. Answer int main(){ return 0; } 零. 0.c
  34. 34. Variable 5min
  35. 35. Variable 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: mov eax,0x0 80483ff: leave 8048400: ret 一. 1.bin
  36. 36. Variable 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov BYTE PTR [ebp-0x1],0x41 80483f7: mov eax,0x0 80483fc: leave 80483fd: ret 二. 2.bin
  37. 37. Variable 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov WORD PTR [ebp-0x2],0xa 80483f9: mov eax,0x0 80483fe: leave 80483ff: ret 三. 3.bin
  38. 38. Variable 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x8],0xa 80483fa: lea eax,[ebp-0x8] 80483fd: mov DWORD PTR [ebp-0x4],eax 8048400: mov eax,0x0 8048405: leave 8048406: ret 四. 4.bin
  39. 39. Variable 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0x0 80483fa: mov eax,ds:0x804a01c 80483ff: mov DWORD PTR [ebp-0x4],eax 8048402: mov eax,0x0 8048407: leave 8048408: ret 五. 5.bin 0x804a01c: 0x64
  40. 40. Variable 1 Answer int main(void){ int n = 10; return 0; } 一. 1.c
  41. 41. Variable 2 Answer int main(void){ char n = 'A'; return 0; } 二. 2.c
  42. 42. Variable 3 Answer int main(void){ short int n = 10; return 0; } 三. 3.c
  43. 43. Variable 4 Answer int main(void){ int i = 10; int *n; n = &i; return 0; } 四. 4.c
  44. 44. Variable 5 Answer int n1 = 100; int main(){ int n2 = 0; n2 = n1; return 0; } 五. 5.c
  45. 45. ■ Bit / Byte ■ Byte / Word / Double word / Quad word ・ Bit 1 1・ Byte 0010101 ・ Byte A ・ Word B A ・ DWord D C B A Data type(Reference) ・ QWord D C B AH G F E
  46. 46. Control Flow Statements 20min
  47. 47. Control Flow Statements 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: cmp DWORD PTR [ebp-0x4],0x63 80483fe: jg 8048407 <main+0x1a> 8048400: mov eax,0x0 8048405: jmp 804840c <main+0x1f> 8048407: mov eax,0x0 804840c: leave 804840d: ret 六. 6.bin
  48. 48. Control Flow Statements 1 Answer int main(){ int n = 10; if(n < 100){ return 0; } return 0; } 六. 6.c
  49. 49. Control Flow Statements 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: cmp DWORD PTR [ebp-0x4],0x63 80483fe: jg 804840d <main+0x20> 8048400: cmp DWORD PTR [ebp-0x4],0x32 8048404: jle 804840d <main+0x20> 8048406: mov eax,0x0 804840b: jmp 8048412 <main+0x25> 804840d: mov eax,0x0 8048412: leave 8048413: ret 七. 7.bin
  50. 50. Control Flow Statements 2 Answer int main(){ int n = 10; if(n < 100){ if(n > 50){ return 0; } } return 0; } 七. 7.c
  51. 51. Control Flow Statements 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: cmp DWORD PTR [ebp-0x4],0x63 80483fe: jg 8048409 <main+0x1c> 8048400: mov DWORD PTR [ebp-0x8],0x1 8048407: jmp 8048410 <main+0x23> 8048409: mov DWORD PTR [ebp-0x8],0x0 8048410: mov eax,0x0 8048415: leave 8048416: ret 八. 8.bin
  52. 52. Control Flow Statements 3 Answer int main(){ int n = 10; int flag; if(n < 100){ flag = 1; }else{ flag = 0; } return 0; } 八. 8.c
  53. 53. Control Flow Statements 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0x1 80483fa: mov eax,DWORD PTR [ebp-0x4] 80483fd: cmp eax,0x2 8048400: je 8048412 <main+0x25> 8048402: cmp eax,0x3 8048405: je 8048418 <main+0x2b> 8048407: cmp eax,0x1 804840a: jne 804841e <main+0x31> 804840c: mov BYTE PTR [ebp-0x5],0x41 8048410: jmp 8048423 <main+0x36> 8048412: mov BYTE PTR [ebp-0x5],0x42 8048416: jmp 8048423 <main+0x36> 8048418: mov BYTE PTR [ebp-0x5],0x43 804841c: jmp 8048423 <main+0x36> 804841e: mov BYTE PTR [ebp-0x5],0x44 8048422: nop 8048423: mov eax,0x0 8048428: leave 8048429: ret 九. 9.bin
  54. 54. Control Flow Statements 4 Answer int main(){ int n = 1; char c; switch(n){ case 1: c = 'A'; break; case 2: c = 'B'; break; case 3: c = 'C'; break; default: c = 'D'; break; } return 0; } 九. 9.c
  55. 55. Control Flow Statements 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x8],0x0 80483fa: mov DWORD PTR [ebp-0x4],0x0 8048401: jmp 804840d <main+0x20> 8048403: mov eax,DWORD PTR [ebp-0x4] 8048406: add DWORD PTR [ebp-0x8],eax 8048409: add DWORD PTR [ebp-0x4],0x1 804840d: cmp DWORD PTR [ebp-0x4],0x9 8048411: jle 8048403 <main+0x16> 8048413: mov eax,0x0 8048418: leave 8048419: ret 十. 10.bin Hint: for
  56. 56. Control Flow Statements 5 Answer int main(){ int i; int sum = 0; for(i = 0; i < 10; i++){ sum += i; } return 0; } 十. 10.c
  57. 57. Control Flow Statements 6 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x8],0x0 80483fa: mov DWORD PTR [ebp-0x4],0x0 8048401: jmp 804840d <main+0x20> 8048403: mov eax,DWORD PTR [ebp-0x4] 8048406: add DWORD PTR [ebp-0x8],eax 8048409: add DWORD PTR [ebp-0x4],0x1 804840d: cmp DWORD PTR [ebp-0x4],0x9 8048411: jle 8048403 <main+0x16> 8048413: mov eax,0x0 8048418: leave 8048419: ret 十一. 11.bin Hint: while
  58. 58. Control Flow Statements 6 Answer int main(){ int i = 0; int sum = 0; while(i < 10){ sum += i; i++; } return 0; } 十一. 11.c
  59. 59. Control Flow Statements 7 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0x0 80483fa: add DWORD PTR [ebp-0x4],0x1 80483fe: cmp DWORD PTR [ebp-0x4],0x63 8048402: jle 80483fa <main+0xd> 8048404: mov eax,0x0 8048409: leave 804840a: ret 十二. 12.bin
  60. 60. Control Flow Statements 7 Answer int main(){ int n = 0; do{ n++; }while(n < 100); return 0; } 十二. 12.c
  61. 61. Control Flow Statements 8 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0xc],0x0 80483fa: mov DWORD PTR [ebp-0x4],0x0 8048401: jmp 8048424 <main+0x37> 8048403: mov DWORD PTR [ebp-0x8],0x0 804840a: jmp 8048410 <main+0x23> 804840c: add DWORD PTR [ebp-0x8],0x1 8048410: cmp DWORD PTR [ebp-0x8],0x9 8048414: jle 804840c <main+0x1f> 8048416: mov eax,DWORD PTR [ebp-0x4] 8048419: imul eax,DWORD PTR [ebp-0x8] 804841d: mov DWORD PTR [ebp-0xc],eax 8048420: add DWORD PTR [ebp-0x4],0x1 8048424: cmp DWORD PTR [ebp-0x4],0x9 8048428: jle 8048403 <main+0x16> 804842a: mov eax,0x0 804842f: leave 8048430: ret 十三. 13.bin
  62. 62. Control Flow Statements 8 Answer int main(){ int i,j; int sum = 0; for(i = 0; i < 10; i++){ for(j = 0; j < 10; j++){ } sum = i*j; } return 0; } 十三. 13.c
  63. 63. Control Flow Statements 9 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: cmp DWORD PTR [ebp-0x4],0x1 80483fe: jne 8048402 <main+0x15> 8048400: jmp 8048417 <main+0x2a> 8048402: cmp DWORD PTR [ebp-0x4],0x2 8048406: jne 8048417 <main+0x2a> 8048408: nop 8048409: mov DWORD PTR [ebp-0x4],0x0 8048410: mov eax,0x0 8048415: jmp 804841c <main+0x2f> 8048417: mov eax,0x1 804841c: leave 804841d: ret 十四. 14.bin
  64. 64. Control Flow Statements 9 Answer int main(){ int n = 10; if(n == 1){ goto label1; }else if(n == 2){ goto label2; } label1: return 1; label2: n = 0; return 0; } 十四. 14.c
  65. 65. Control Flow Statements 10 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0x0 80483fa: jmp 8048408 <main+0x1b> 80483fc: cmp DWORD PTR [ebp-0x4],0x64 8048400: jle 8048404 <main+0x17> 8048402: jmp 8048408 <main+0x1b> 8048404: add DWORD PTR [ebp-0x4],0x1 8048408: cmp DWORD PTR [ebp-0x4],0x63 804840c: jle 80483fc <main+0xf> 804840e: mov eax,0x0 8048413: leave 8048414: ret 十五. 15.bin
  66. 66. Control Flow Statements 10 Answer int main(){ int n = 0; while(n < 100){ if(n > 100){ continue; } n++; } return 0; } 十五. 15.c
  67. 67. Arithmetic operation 5min
  68. 68. Arithmetic Operation 1 080483ed <main>: 80483ed:push ebp 80483ee:mov ebp,esp 80483f0:sub esp,0xc 80483f3:mov DWORD PTR [ebp-0x4],0x5 80483fa:mov DWORD PTR [ebp-0x8],0x5 8048401:mov DWORD PTR [ebp-0xc],0x0 8048408:mov eax,DWORD PTR [ebp-0x8] 804840b:mov edx,DWORD PTR [ebp-0x4] 804840e:add eax,edx 8048410:mov DWORD PTR [ebp-0xc],eax 8048413:mov eax,0x0 8048418:leave 8048419:ret 十六. 16.bin
  69. 69. Arithmetic Operation 1 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 + n2; return 0; } 16.c 十六.
  70. 70. Arithmetic Operation 2 080483ed <main>: 80483ed:push ebp 80483ee:mov ebp,esp 80483f0:sub esp,0xc 80483f3:mov DWORD PTR [ebp-0x4],0x5 80483fa:mov DWORD PTR [ebp-0x8],0x5 8048401:mov DWORD PTR [ebp-0xc],0x0 8048408:mov eax,DWORD PTR [ebp-0x8] 804840b:mov edx,DWORD PTR [ebp-0x4] 804840e:sub edx,eax 8048410:mov eax,edx 8048412:mov DWORD PTR [ebp-0xc],eax 8048415:mov eax,0x0 804841a:leave 804841b:ret 十七. 17.bin
  71. 71. Arithmetic Operation 2 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 - n2; return 0; } 17.c 十七.
  72. 72. Arithmetic Operation 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0x4],0x5 80483fa: mov DWORD PTR [ebp-0x8],0x5 8048401: mov DWORD PTR [ebp-0xc],0x0 8048408: mov eax,DWORD PTR [ebp-0x4] 804840b: imul eax,DWORD PTR [ebp-0x8] 804840f: mov DWORD PTR [ebp-0xc],eax 8048412: mov eax,0x0 8048417: leave 8048418: ret 十八. 18.bin
  73. 73. Arithmetic Operation 3 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 * n2; return 0; } 18.c 十八.
  74. 74. Arithmetic Operation 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0x4],0x5 80483fa: mov DWORD PTR [ebp-0x8],0x5 8048401: mov DWORD PTR [ebp-0xc],0x0 8048408: mov eax,DWORD PTR [ebp-0x4] 804840b: cdq 804840c: idiv DWORD PTR [ebp-0x8] 804840f: mov DWORD PTR [ebp-0xc],eax 8048412: mov eax,0x0 8048417: leave 8048418: ret 十九. 19.bin
  75. 75. Arithmetic Operation 4 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 / n2; return 0; } 19.c 十九.
  76. 76. Arithmetic Operation 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0x4],0x5 80483fa: mov DWORD PTR [ebp-0x8],0x5 8048401: mov DWORD PTR [ebp-0xc],0x0 8048408: mov eax,DWORD PTR [ebp-0x4] 804840b: cdq 804840c: idiv DWORD PTR [ebp-0x8] 804840f: mov DWORD PTR [ebp-0xc],edx 8048412: mov eax,0x0 8048417: leave 8048418: ret 二十. 20.bin
  77. 77. Arithmetic Operation 5 Answer int main(){ int n1 = 5; int n2 = 5; int sum = 0; sum = n1 % n2; return 0; } 20.c 二十.
  78. 78. Bitwise operation 5min
  79. 79. Bitwise Operation 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0x4 80483fa: mov DWORD PTR [ebp-0x8],0x0 8048401: mov eax,DWORD PTR [ebp-0x4] 8048404: and eax,0x1 8048407: mov DWORD PTR [ebp-0x8],eax 804840a: mov eax,0x0 804840f: leave 8048410: ret 21.bin 二十一.
  80. 80. Bitwise Operation 1 Answer int main(){ int n = 4; int result = 0; result = n & 1; return 0; } 21.c 二十一.
  81. 81. Bitwise Operation 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0x4 80483fa: mov DWORD PTR [ebp-0x8],0x0 8048401: mov eax,DWORD PTR [ebp-0x4] 8048404: or eax,0x1 8048407: mov DWORD PTR [ebp-0x8],eax 804840a: mov eax,0x0 804840f: leave 8048410: ret 22.bin 二十二.
  82. 82. Bitwise Operation 2 Answer int main(){ int n = 4; int result = 0; result = n | 1; return 0; } 22.c 二十二.
  83. 83. Bitwise Operation 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0x4 80483fa: mov DWORD PTR [ebp-0x8],0x0 8048401: mov eax,DWORD PTR [ebp-0x4] 8048404: xor al,0xff 8048406: mov DWORD PTR [ebp-0x8],eax 8048409: mov eax,0x0 804840e: leave 804840f: ret 23.bin 二十三.
  84. 84. Bitwise Operation 3 Answer int main(){ int n = 4; int result = 0; result = n ^ 0xFF; return 0; } 23.c 二十三.
  85. 85. Bitwise Operation 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0x4 80483fa: mov DWORD PTR [ebp-0x8],0x0 8048401: mov eax,DWORD PTR [ebp-0x4] 8048404: not eax 8048406: mov DWORD PTR [ebp-0x8],eax 8048409: mov eax,0x0 804840e: leave 804840f: ret 24.bin 二十四.
  86. 86. Bitwise Operation 4 Answer int main(){ int n = 4; int result = 0; result = ~n; return 0; } 24.c 二十四.
  87. 87. Bitwise Operation 5 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: sar DWORD PTR [ebp-0x4],1 80483fd: mov eax,0x0 8048402: leave 8048403: ret 25.bin 二十五.
  88. 88. Bitwise Operation 5 Answer int main(void){ int n = 10; n = n >> 1; return 0; } 25.c 二十五.
  89. 89. Bitwise Operation 6 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: shl DWORD PTR [ebp-0x4],1 80483fd: mov eax,0x0 8048402: leave 8048403: ret 26.bin 二十六.
  90. 90. Bitwise Operation 6 Answer int main(void){ int n = 10; n = n << 1; return 0; } 26.c 二十六.
  91. 91. Function Call 10min
  92. 92. Function Call 1 0804841d <main>: 804841d: push ebp 804841e: mov ebp,esp 8048420: sub esp,0xc 8048423: mov DWORD PTR [ebp-0x4],0x7e0 804842a: mov eax,DWORD PTR [ebp-0x4] 804842d: mov DWORD PTR [esp+0x4],eax 8048431: mov DWORD PTR [esp],0x80484e0 8048438: call 80482f0 <printf@plt> 804843d: mov eax,0x0 8048442: leave 8048443: ret 27.bin 二十七. 0x80484e0: "Year = %d"
  93. 93. Function Call 1 Answer #include <stdio.h> int main(){ int year = 2016; printf("Year = %d", year); return 0; } 27.c 二十七.
  94. 94. Function Call 2 080483ed <myfunc>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: mov eax,DWORD PTR [ebp+0xc] 80483f3: mov edx,DWORD PTR [ebp+0x8] 80483f6: add eax,edx 80483f8: pop ebp 80483f9: ret 080483fa <main>: 80483fa: push ebp 80483fb: mov ebp,esp 80483fd: sub esp,0xc 8048400: mov DWORD PTR [esp+0x4],0x5 8048408: mov DWORD PTR [esp],0x5 804840f: call 80483ed <myfunc> 8048414: mov DWORD PTR [ebp-0x4],eax 8048417: mov eax,0x0 804841c: leave 804841d: ret 28.bin 二十八.
  95. 95. Function Call 2 Answer int myfunc(int n1, int n2){ return n1+n2; } int main(){ int sum; sum = myfunc(5,5); return 0; } 28.c 二十八.
  96. 96. Function Call 3 080483ed <myfunc>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: mov eax,DWORD PTR [ebp+0xc] 80483f3: mov edx,DWORD PTR [ebp+0x8] 80483f6: add eax,edx 80483f8: pop ebp 80483f9: ret 080483fa <main>: 80483fa: push ebp 80483fb: mov ebp,esp 80483fd: sub esp,0x10 8048400: mov DWORD PTR [ebp-0x4],0x80483ed 8048407: mov DWORD PTR [esp+0x4],0x5 804840f: mov DWORD PTR [esp],0x5 8048416: mov eax,DWORD PTR [ebp-0x4] 8048419: call eax 804841b: mov DWORD PTR [ebp-0x8],eax 804841e: mov eax,0x0 8048423: leave 8048424: ret 29.bin 二十九.
  97. 97. Function Call 3 Answer int myfunc(int n1, int n2){ return n1+n2; } int main(void){ int sum; int (*p_func)(int,int); p_func = myfunc; sum = (*p_func)(5,5); return 0; } 29.c 二十九.
  98. 98. Type conversion 5min
  99. 99. Type Conversion 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov WORD PTR [ebp-0x2],0x1 80483f9: movsx eax,WORD PTR [ebp-0x2] 80483fd: mov DWORD PTR [ebp-0x8],eax 8048400: mov eax,0x0 8048405: leave 8048406: ret 30.bin 三十.
  100. 100. Type Conversion 1 Answer int main(){ short int n1 = 1; int n2; n2 = (int)n1; return 0; } 30.c 三十.
  101. 101. Type Conversion 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov DWORD PTR [ebp-0x4],0xa 80483fa: mov eax,DWORD PTR [ebp-0x4] 80483fd: mov WORD PTR [ebp-0x6],ax 8048401: mov eax,0x0 8048406: leave 8048407: ret 31.bin 三十一.
  102. 102. Type Conversion 2 Answer int main(){ int n1 = 10; short int n2; n2 = (short int)n1; return 0; } 31.c 三十一.
  103. 103. Various Data Type 20min
  104. 104. Data Type 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: and esp,0xfffffff8 80483f3: sub esp,0x8 80483f6: fld QWORD PTR ds:0x80484a0 80483fc: fstp QWORD PTR [esp] 80483ff: mov eax,0x0 8048404: leave 8048405: ret 32.bin 三十二. 0x80484a0: → 0x4024333333333333 =10.1(decimal)
  105. 105. Data Type 1 Answer int main(){ double n = 10.1; return 0; } 32.c 三十二.
  106. 106. Data Type 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x2c 80483f3: mov DWORD PTR [ebp-0x4],0x0 80483fa: jmp 804840a <main+0x1d> 80483fc: mov eax,DWORD PTR [ebp-0x4] 80483ff: mov edx,DWORD PTR [ebp-0x4] 8048402: mov DWORD PTR [ebp+eax*4-0x2c],edx 8048406: add DWORD PTR [ebp-0x4],0x1 804840a: cmp DWORD PTR [ebp-0x4],0x9 804840e: jle 80483fc <main+0xf> 8048410: mov eax,0x0 8048415: leave 8048416: ret 33.bin 三十三.
  107. 107. Data Type 2 Answer int main(){ int array[10]; int i; for(i = 0; i < 10; i++){ array[i] = i; } return 0; } 33.c 三十三.
  108. 108. Data Type 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x198 80483f6: mov DWORD PTR [ebp-0x4],0x0 80483fd: jmp 8048432 <main+0x45> 80483ff: mov DWORD PTR [ebp-0x8],0x0 8048406: jmp 8048428 <main+0x3b> 8048408: mov edx,DWORD PTR [ebp-0x4] 804840b: mov eax,edx 804840d: shl eax,0x2 8048410: add eax,edx 8048412: add eax,eax 8048414: mov edx,DWORD PTR [ebp-0x8] 8048417: add eax,edx 8048419: mov DWORD PTR [ebp+eax*4-0x198],0xa 8048424: add DWORD PTR [ebp-0x8],0x1 8048428: cmp DWORD PTR [ebp-0x8],0x9 804842c: jle 8048408 <main+0x1b> 804842e: add DWORD PTR [ebp-0x4],0x1 8048432: cmp DWORD PTR [ebp-0x4],0x9 8048436: jle 80483ff <main+0x12> 8048438: mov eax,0x0 804843d: leave 804843e: ret 34.bin 三十四.
  109. 109. Data Type 3 Answer int main(){ int array[10][10]; int i,j; for(i = 0; i < 10; i++){ for(j = 0; j < 10; j++){ array[i][j] = 10; } } return 0; } 34.c 三十四.
  110. 110. Data Type 4 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0x8],0xa 80483fa: lea eax,[ebp-0x8] 80483fd: mov DWORD PTR [ebp-0xc],eax 8048400: lea eax,[ebp-0xc] 8048403: mov DWORD PTR [ebp-0x4],eax 8048406: mov eax,0x0 804840b: leave 804840c: ret 35.bin 三十五.
  111. 111. Data Type 4 Answer int main(){ int n; int *p_n; int **pp_n; n = 10; p_n = &n; pp_n = &p_n; return 0; } 35.c 三十五.
  112. 112. Data Type 5 0804841d <myfunc>: 804841d: push ebp 804841e: mov ebp,esp 8048420: sub esp,0x8 8048423: mov eax,DWORD PTR [ebp+0xc] 8048426: mov DWORD PTR [esp+0x4],eax 804842a: mov DWORD PTR [esp],0x8048500 8048431: call 80482f0 <printf@plt> 8048436: leave 8048437: ret 08048438 <main>: 8048438: push ebp 8048439: mov ebp,esp 804843b: sub esp,0x10 804843e: mov DWORD PTR [ebp-0x8],0x7e0 8048445: mov DWORD PTR [ebp-0x4],0x1 804844c: mov eax,DWORD PTR [ebp-0x8] 804844f: mov edx,DWORD PTR [ebp-0x4] 8048452: mov DWORD PTR [esp],eax 8048455: mov DWORD PTR [esp+0x4],edx 8048459: call 804841d <myfunc> 804845e: mov eax,0x0 8048463: leave 8048464: ret 36.bin 三十六. Hint: structure 0x8048500: "id=%dn"
  113. 113. Data Type 5 Answer #include <stdio.h> struct student{ int year; int id; }; void myfunc(struct student n){ printf("id=%dn",n.id); } int main(void){ struct student data; data.year = 2016; data.id = 1; myfunc(data); return 0; } 36.c 三十六.
  114. 114. Data Type 6 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: movzx eax,BYTE PTR [ebp-0x4] 80483f7: and eax,0xfffffffe 80483fa: mov BYTE PTR [ebp-0x4],al 80483fd: movzx eax,BYTE PTR [ebp-0x4] 8048401: or eax,0x2 8048404: mov BYTE PTR [ebp-0x4],al 8048407: mov eax,0x0 804840c: leave 804840d: ret 37.bin 三十七. Hint: structure
  115. 115. Data Type 6 Answer struct flag{ unsigned int up:1; unsigned int on:1; }; int main(void){ struct flag f; f.up = 0; f.on = 1; return 0; } 37.c 三十七.
  116. 116. Data Type 7 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0x7e0 80483fa: mov DWORD PTR [ebp-0x4],0x1 8048401: mov eax,0x0 8048406: leave 8048407: ret 38.bin 三十八. Hint: union
  117. 117. Data Type 7 Answer union Student{ int year; int id; }; int main(void){ union Student data; data.year = 2016; data.id = 1; return 0; } 38.c 三十八.
  118. 118. Data Type 8 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0xc 80483f3: mov DWORD PTR [ebp-0xc],0x0 80483fa: mov DWORD PTR [ebp-0x8],0x1 8048401: mov DWORD PTR [ebp-0x4],0x2 8048408: mov eax,0x0 804840d: leave 804840e: ret 39.bin 三十九. Hint: enum
  119. 119. Data Type 8 Answer enum Alpha { A, B, C }; int main() { int a = A; int b = B; int c = C; return 0; } 39.c 三十九.
  120. 120. signed or unsigned 10min
  121. 121. Signed or Unsigned 1 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x4 80483f3: mov DWORD PTR [ebp-0x4],0xffffffff 80483fa: mov eax,0x0 80483ff: leave 8048400: ret 40.bin 四十. Hint: signed
  122. 122. Signed or Unsigned 1 Answer int main(){ int n = -1; return 0; } 40.c 四十.
  123. 123. Signed or Unsigned 2 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov WORD PTR [ebp-0x8],0x1 80483f9: movzx eax,WORD PTR [ebp-0x8] 80483fd: mov DWORD PTR [ebp-0x4],eax 8048400: movzx eax,WORD PTR [ebp-0x8] 8048404: mov edx,0x0 8048409: div WORD PTR [ebp-0x8] 804840d: mov WORD PTR [ebp-0x6],ax 8048411: cmp WORD PTR [ebp-0x8],0x64 8048416: jbe 804841f <main+0x32> 8048418: mov eax,0x0 804841d: jmp 8048424 <main+0x37> 804841f: mov eax,0x0 8048424: leave 8048425: ret 41.bin 四十一.
  124. 124. Signed or Unsigned 2 Answer int main(){ unsigned short int n1 = 1; unsigned short int result; int n2; n2 = (int)n1; result = n1 / n1; if(n1 > 100){ return 0; } return 0; } 41.c 四十一.
  125. 125. Signed or Unsigned 3 080483ed <main>: 80483ed: push ebp 80483ee: mov ebp,esp 80483f0: sub esp,0x8 80483f3: mov WORD PTR [ebp-0x8],0x1 80483f9: movsx eax,WORD PTR [ebp-0x8] 80483fd: mov DWORD PTR [ebp-0x4],eax 8048400: movsx eax,WORD PTR [ebp-0x8] 8048404: movsx ecx,WORD PTR [ebp-0x8] 8048408: cdq 8048409: idiv ecx 804840b: mov WORD PTR [ebp-0x6],ax 804840f: cmp WORD PTR [ebp-0x8],0x64 8048414: jle 804841d <main+0x30> 8048416: mov eax,0x0 804841b: jmp 8048422 <main+0x35> 804841d: mov eax,0x0 8048422: leave 8048423: ret 42.bin 四十二.
  126. 126. Signed or Unsigned 3 Answer int main(){ short int n1 = 1; short int result; int n2; n2 = (int)n1; result = n1 / n1; if(n1 > 100){ return 0; } return 0; } 42.c 四十二.
  127. 127. String Operation 10min
  128. 128. String Operation 1 0804841d <main>: 804841d: push ebp 804841e: mov ebp,esp 8048420: sub esp,0x10 8048423: mov DWORD PTR [ebp-0x6],0x63696c41 804842a: mov WORD PTR [ebp-0x2],0x65 8048430: lea eax,[ebp-0x6] 8048433: mov DWORD PTR [esp+0x4],eax 8048437: mov DWORD PTR [esp],0x80484e0 804843e: call 80482f0 <printf@plt> 8048443: mov eax,0x0 8048448: leave 8048449: ret 43.bin 四十三. 0x80484e0: “name=%sn" ※ gcc -O0 -mpreferred-stack-boundary=2 -fno-stack-protector
  129. 129. String Operation 1 Answer #include <stdio.h> int main(){ char name[] = "Alice"; printf("name = %s n", name); return 0; } 43.c 四十三.
  130. 130. String Operation 2 08048320 <main>: 8048320: push edi 8048321: mov eax,0x65 8048326: push esi 8048327: mov edi,0x8048500 804832c: sub esp,0xc 804832f: mov ecx,0x6 8048334: mov DWORD PTR [esp+0x6],0x63696c41 804833c: lea esi,[esp+0x6] 8048340: mov WORD PTR [esp+0xa],ax 8048345: repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi] 8048347: jne 8048355 <main+0x35> 8048349: mov DWORD PTR [esp],0x8048506 8048350: call 80482f0 <puts@plt> 8048355: add esp,0xc 8048358: xor eax,eax 804835a: pop esi 804835b: pop edi 804835c: ret 44.bin 四十四. 0x8048506: “Hey Alice!n" ※ gcc –O3 -mpreferred-stack-boundary=2 -fno-stack-protector -D_FORTIFY_SOURCE=0 0x8048500: “Alice"
  131. 131. String Operation 2 Answer int strcmp_func(char *str){ if(strcmp(str,"Alice") == 0){ return 1; } return 0; } int main(){ char name[] = "Alice"; int flag; flag = strcmp_func(name); if(flag == 1){ printf("Hey Alice!n"); } return 0; } 44.c 四十四.
  132. 132. Break 10min
  133. 133. C++ RE Basics 35min
  134. 134. C++ RE (Background) Most modern application use C++ Internet Explorer, Firefox, etc Some malwares are implemented by C++ C++ RE skill is important
  135. 135. Characteristics of C++ binary Calling Convention(thiscall) Mangling Object(Creation/Deletion) Vtable RTTI(RunTimeType Identification) C++ class is basically same as a structure type. However, the following points are different.
  136. 136. About the C++ Binary Microsoft(R) C/C++ Optimizing Compiler Version 17.00.50727.1 for x86 Compiler(MSVC) Compiler Option cl /Od /Zi /GS- /INCRIMENTAL:NO example.cpp Disassembler IDA pro 6.8
  137. 137. Class 1 (Local)一. class Cat{ public: int age; void meow(); }; void Cat::meow(){ printf("meow!"); } int main(){ Cat foo; foo.age = 10; foo.meow(); return 0; } 1.cpp
  138. 138. Class 1 (Local) 1.exe .text:00401040 ; int __cdecl main() .text:00401040 _main proc near ; CODE XREF: _main_0j .text:00401040 .text:00401040 foo = Cat ptr -4 .text:00401040 .text:00401040 push ebp .text:00401041 mov ebp, esp .text:00401043 push ecx .text:00401044 mov [ebp+foo.age], 0Ah .text:0040104B lea ecx, [ebp+foo] ; this .text:0040104E call j_?meow@Cat@@QAEXXZ ; Cat::meow(void) .text:00401053 xor eax, eax .text:00401055 mov esp, ebp .text:00401057 pop ebp .text:00401058 retn .text:00401058 _main endp 一.
  139. 139. https://en.wikipedia.org/wiki/Name_mangling#C.2B.2B
  140. 140. Class 1 (Local/meow) 1.exe .text:00401020 ; void __thiscall Cat::meow(Cat *this) .text:00401020 ?meow@Cat@@QAEXXZ proc near ;CODE XREF:Cat::meow(void) .text:00401020 .text:00401020 this = dword ptr -4 .text:00401020 .text:00401020 push ebp .text:00401021 mov ebp, esp .text:00401023 push ecx .text:00401024 mov [ebp+this], ecx .text:00401027 push offset format ; "meow!" .text:0040102C call _printf .text:00401031 add esp, 4 .text:00401034 mov esp, ebp .text:00401036 pop ebp .text:00401037 retn .text:00401037 ?meow@Cat@@QAEXXZ endp 一.
  141. 141. Class 2 (Global) class Cat{ public: int age; void meow(); }; void Cat::meow(){ printf("meow!"); } Cat foo; int main(){ foo.age = 10; foo.meow(); return 0; } 2.cpp 二.
  142. 142. Class 2 (Global) .text:00401040 ; int __cdecl main() .text:00401040 _main proc near; CODE XREF: _main_0j .text:00401040 push ebp .text:00401041 mov ebp, esp .text:00401043 mov ?foo@@3VCat@@A.age, 0Ah ;Cat foo .text:0040104D mov ecx, offset ?foo@@3VCat@@A ;this .text:00401052 call j_?meow@Cat@@QAEXXZ; Cat::meow(v .text:00401057 xor eax, eax .text:00401059 pop ebp .text:0040105A retn .text:0040105A _main endp 2.exe 二.
  143. 143. Class 3 (new/delete) class Cat{ public: int age; void meow(); }; void Cat::meow(){ printf("meow!"); } int main(){ Cat *foo = new Cat; foo->age = 10; foo->meow(); delete foo; return 0; } 3.cpp 三.
  144. 144. Class 3 (new) .text:00401040 _main proc near ; CODE XREF: _main_0j .text:00401040 .text:00401040 p = dword ptr -0Ch .text:00401040 var_8 = dword ptr -8 .text:00401040 foo = dword ptr -4 .text:00401040 .text:00401040 push ebp .text:00401041 mov ebp, esp .text:00401043 sub esp, 0Ch .text:00401046 push 4 ; size .text:00401048 call ??2@YAPAXI@Z ;operator new(uint) .text:0040104D add esp, 4 .text:00401050 mov [ebp+var_8], eax .text:00401053 mov eax, [ebp+var_8] .text:00401056 mov [ebp+foo], eax .text:00401059 mov ecx, [ebp+foo] 3.exe 三.
  145. 145. Class 3 (delete) .text:0040106A mov edx, [ebp+foo] .text:0040106D mov [ebp+p], edx .text:00401070 mov eax, [ebp+p] .text:00401073 push eax ; p .text:00401074 call ??3@YAXPAX@Z ;operator delete(void .text:00401079 add esp, 4 .text:0040107C xor eax, eax .text:0040107E mov esp, ebp .text:00401080 pop ebp .text:00401081 retn .text:00401081 _main endp 3.exe 三.
  146. 146. Class 4 (Constructor/Destructor) class Cat{ public: int age; Cat(); ~Cat(); void meow(); }; Cat::Cat(){ printf("hi"); } Cat::~Cat(){ printf("bye"); } void Cat::meow(){ printf("meow!"); } 4.cpp 四. int main(){ Cat *foo = new Cat; foo->age = 10; foo->meow(); delete foo; return 0; }
  147. 147. Class 4 (Constructor) .text:00401030 ; void __thiscall Cat::Cat(Cat *this) .text:00401030 ??0Cat@@QAE@XZ proc near ;CODE XREF: Cat::Cat( .text:00401030 .text:00401030 this = dword ptr -4 .text:00401030 .text:00401030 push ebp .text:00401031 mov ebp, esp .text:00401033 push ecx .text:00401034 mov [ebp+this], ecx .text:00401037 push offset format ; "hi" .text:0040103C call _printf .text:00401041 add esp, 4 .text:00401044 mov eax, [ebp+this] .text:00401047 mov esp, ebp .text:00401049 pop ebp .text:0040104A retn .text:0040104A ??0Cat@@QAE@XZ endp 4.exe 四.
  148. 148. Class 4 (Destructor) .text:00401050 ; void __thiscall Cat::~Cat(Cat *this) .text:00401050 ??1Cat@@QAE@XZ proc near ;CODE XREF: Cat::~Cat( .text:00401050 .text:00401050 this = dword ptr -4 .text:00401050 .text:00401050 push ebp .text:00401051 mov ebp, esp .text:00401053 push ecx .text:00401054 mov [ebp+this], ecx .text:00401057 push offset aBye ; "bye" .text:0040105C call _printf .text:00401061 add esp, 4 .text:00401064 mov esp, ebp .text:00401066 pop ebp .text:00401067 retn .text:00401067 ??1Cat@@QAE@XZ endp 4.exe 四.
  149. 149. Class 4 (Constructor Call/Main) .text:00401090 push ebp .text:00401091 mov ebp, esp .text:00401093 push 0FFFFFFFFh .text:00401095 push offset __ehhandler$_main .text:0040109A mov eax, large fs:0 .text:004010A0 push eax .text:004010A1 mov large fs:0, esp .text:004010A8 sub esp, 1Ch .text:004010AB push 4 ; size .text:004010AD call ??2@YAPAXI@Z ; operator new(uint) .text:004010B2 add esp, 4 .text:004010B5 mov [ebp+var_14], eax .text:004010B8 mov [ebp+var_4], 0 .text:004010BF cmp [ebp+var_14], 0 .text:004010C3 jz short loc_4010D2 .text:004010C5 mov ecx, [ebp+var_14] ; this .text:004010C8 call j_??0Cat@@QAE@XZ ; Cat::Cat(void) .text:004010CD mov [ebp+var_18], eax .text:004010D0 jmp short loc_4010D9 4.exe 四.
  150. 150. Class 4 (Destructor Call/Main) .text:004010E4 mov edx, [ebp+foo] .text:004010E7 mov [ebp+var_14], edx .text:004010EA mov eax, [ebp+var_14] .text:004010ED mov [ebp+var_10], eax .text:004010F0 cmp [ebp+var_10], 0 .text:004010F4 jz short loc_401105 .text:004010F6 push 1 ; unsigned int .text:004010F8 mov ecx, [ebp+var_10] ; this .text:004010FB call j_??_GCat@@QAEPAXI@Z ; Cat::`scalar deleting destructor'(uint) .text:00401100 mov [ebp+var_18], eax .text:00401103 jmp short loc_40110C 4.exe 四.
  151. 151. Class 4 (Inside Helper Func) .text:00401150 push ebp .text:00401151 mov ebp, esp .text:00401153 push ecx .text:00401154 mov [ebp+this], ecx .text:00401157 mov ecx, [ebp+this] ; this .text:0040115A call j_??1Cat@@QAE@XZ ; Cat::~Cat(void) .text:0040115F mov eax, [ebp+arg_0] .text:00401162 and eax, 1 .text:00401165 jz short loc_401173 .text:00401167 mov ecx, [ebp+this] .text:0040116A push ecx ; p .text:0040116B call ??3@YAXPAX@Z ; operator delete(void *) .text:00401170 add esp, 4 .text:00401173 4.exe 四.
  152. 152. Class 5 (Encapsulation) class Cat{ public: void meow(); private: int age; void meowmeow(int n); }; void Cat::meowmeow(int n){ age = n; printf("meowmeow!"); } void Cat::meow(){ printf("meow!"); meowmeow(1); } 5.cpp 五. int main(){ Cat foo; foo.meow(); return 0; }
  153. 153. Class 5 (Meow Func) .text:00401030 ; void __thiscall Cat::meow(Cat *this) .text:00401030 ?meow@Cat@@QAEXXZ proc near ;CODE XREF: Cat::meow(void) .text:00401030 .text:00401030 this = dword ptr -4 .text:00401030 .text:00401030 push ebp .text:00401031 mov ebp, esp .text:00401033 push ecx .text:00401034 mov [ebp+this], ecx .text:00401037 push offset format ; "meow!" .text:0040103C call _printf .text:00401041 add esp, 4 .text:00401044 push 1 ; n .text:00401046 mov ecx, [ebp+this] ; this .text:00401049 call j_?meowmeow@Cat@@AAEXH@Z ;Cat::meowmeow(i .text:0040104E mov esp, ebp .text:00401050 pop ebp .text:00401051 retn 4.exe 五.
  154. 154. Class 6 (Inheritance) class Cat{ public: int age; Cat(); ~Cat(); void meow(); }; Cat::Cat(){ printf("hi"); } Cat::~Cat(){ printf("bye"); } void Cat::meow(){ printf("meow!"); } 6.cpp 六. class Kitty: public Cat{ public: int id; }; int main(){ Kitty foo; foo.age = 1; foo.id = 2; return 0; }
  155. 155. Class 6 (Inheritance) .text:00401110 ; void __thiscall Kitty::Kitty(Kitty *this) .text:00401110 ??0Kitty@@QAE@XZ proc near ;CODE XREF: Kitty::Kitty(voi .text:00401110 .text:00401110 this = dword ptr -4 .text:00401110 .text:00401110 push ebp .text:00401111 mov ebp, esp .text:00401113 push ecx .text:00401114 mov [ebp+this], ecx .text:00401117 mov ecx, [ebp+this] ; this .text:0040111A call j_??0Cat@@QAE@XZ ; Cat::Cat(void) .text:0040111F mov eax, [ebp+this] .text:00401122 mov esp, ebp .text:00401124 pop ebp .text:00401125 retn .text:00401125 ??0Kitty@@QAE@XZ endp 6.exe 六.
  156. 156. Class 6 (Inheritance/MainFunc) lea ecx, [ebp+foo] ; this call j_??0Kitty@@QAE@XZ ; Kitty::Kitty mov [ebp+foo.baseclass_0.age], 1 mov [ebp+foo.id], 2 6.exe 六. int main(){ Kitty foo; foo.age = 1; foo.id = 2; return 0; } Cat object age Kitty Object age id
  157. 157. Class 7 (Virtual Function) class Cat{ public: int age; virtual void meow(); virtual void meowmeow(); }; void Cat::meow(){ printf("meow!"); } void Cat::meowmeow(){ printf("meowmeow!"); } 7.cpp 七. class Kitty: public Cat{ public: void meow(); }; void Kitty::meow(){ printf("meow!!"); } int main(){ Cat foo; Kitty bar; return 0; }
  158. 158. Class 7 (virtual func) .text:004010F0 ; void __thiscall Cat::Cat(Cat *this) .text:004010F0 ??0Cat@@QAE@XZ proc near ; CODE XREF: Cat::Cat(void) .text:004010F0 .text:004010F0 this = dword ptr -4 .text:004010F0 .text:004010F0 push ebp .text:004010F1 mov ebp, esp .text:004010F3 push ecx .text:004010F4 mov [ebp+this], ecx .text:004010F7 mov eax, [ebp+this] .text:004010FA mov dword ptr [eax], offset ??_7Cat@@6B@ ; .text:00401100 mov eax, [ebp+this] .text:00401103 mov esp, ebp .text:00401105 pop ebp .text:00401106 retn .text:00401106 ??0Cat@@QAE@XZ endp 7.exe 七. const Cat::`vftable' Vtable pointer Added as hidden member
  159. 159. Class 7 (vtable) 7.exe 七. Array of function pointer which is declared as a virtual func Object Vtable Pointer Vtable Pointer of Virtual func1 Pointer of Virtual func2 Func1 Func2 Vtable Member
  160. 160. Q&A

×